Customer Notice FAQs

Last updated 13 November 2020

Dear ShopBack Customer,

Several hours ago, we became aware that a party has made available online our customers’ data, which was taken during the unauthorised access to our systems back in September.

 

We are acutely aware that this may cause you further inconvenience and are deeply sorry for this. As mentioned in our previous communications to customers, your cashback is safe, and your passwords are hashed with a unique and dynamic salt. We do not collect credit card details

 

We want to reassure you that we have further enhanced our security measures since September; taking the following steps:

  1. We have verified the removal of unauthorised access and ensured that our systems are now in line with intended configurations. 
  2. We have further improved the storage of our unique salted passwords by encrypting using a separately stored 'pepper'.
  3. We have partnered with Crowdstrike, a world-class endpoint security and threat intelligence platform, to monitor for suspicious activity across all our systems.

In the coming days as a precautionary measure, we will be triggering a forced logout and password reset of customers’ ShopBack accounts.

 

Meanwhile, our investigation is still ongoing and we will continue to cooperate with the National Privacy Commission.

 

We thank you for your continued support and we will continue to release further updates. Please reach out to care@shopback.ph  if we can help out at all.

 

 

 

 

Last updated 25 September 2020

On 17 September 2020, we became aware of an incident involving unauthorised access to our systems which contained our customers’ personal data. We immediately removed the unauthorised access and engaged leading cyber security specialists to assess the extent of the incident and further enhance our security measures. 

We have notified our customers as well as the National Privacy Commission of the incident.

 

What is the extent of the incident?

We are currently confirming which data has been compromised. 

 

To date, we have no reason to believe that any of your personal data has been misused, however the possibility still exists. What we can assure you of is that your cashback is safe, and that your ShopBack account password is protected by encryption. 

Apart from your email addresses (or alternative login IDs) and limited transactional information, ShopBack does not require you to provide information to us that is not related to our specific services or campaigns.  As a result, we do not have additional data that you had not provided directly to us. Types of data that you may have provided to us could include your:

  1. Name
  2. Contact information
  3. Gender
  4. Date of birth
  5. Bank account numbers (for customers who cash out to their bank accounts)
  6. Paypal/GCash Account ID

While bank account numbers do not permit third parties direct access to your bank accounts, users who have provided us with their bank account numbers should be watchful for potential phishing attacks.

This incident has not affected your cashback balances in your ShopBack account. You may continue to access your ShopBack account and use our services as business operations have not been affected by the incident.

 

What actions are we taking? 

Our priority is the protection of your information and we are doing all that we can to minimize the risk of a similar incident occurring again. Since we became aware of the incident, we have:

  1. Immediately removed the unauthorized access.
  2. Notified our customers of this incident and will continue to provide updates over the course of the investigation on this page.
  3. Engaged external security specialists to identify and plug immediate vulnerabilities, support ongoing investigations, and fortify our security infrastructure. For example, we have validated our security plan with both internal security and external auditors and implemented additional authentication processes for all employees.
  4. Tightened monitoring of internal logs to ensure heightened detection of unauthorised access if any were to occur.

 

What can I do next?

Change your password : Your existing passwords are protected by encryption. As a further security measure, we still encourage you to reset your password via this link (https://shopback.ph/forgot?b=1) and to further protect your account by adding your mobile number if you have not already done so. As an added precautionary measure, the same password should not be used across different sites.

Report suspicious emails If you receive emails that you believe are suspicious, do not click on them, do not respond, and if possible, flag these with your email provider

Stay vigilant and beware of phishing and other scams. You may also refer to https://pnpacg.ph/main/gad-corner/iec-materials/2-uncategorised/172-common-types-of-internet-fraud-scams (operated by the Philippines National Police), which has further helpful advice on how to avoid scams.

Contact us via help@shopback.ph if you encounter any suspicious activity on your ShopBack account or if you have any questions. 

 

Is it safe to use ShopBack?

This incident has not affected your cashback balances in your ShopBack account. You may continue to access your ShopBack account and use our services as business operations have not been affected by the incident.

We recognise that this is unsettling news and we are deeply sorry for any inconvenience this might cause you. The security and privacy of our customers is of utmost importance to us, and we commit to taking all the steps we can to minimize the risk of a similar incident occurring again in the future.

Can’t find what you need? Reach out to us!

Shopback Help Center Footer Banner